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Avec ma p'tit' chanson, j'avais I'air d'un corQ- 
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DUAL ELLIPTIC PRIMES AND APPLICATIONS TO 
CYCLOTOMY PRIMALITY PROVING 

PREDA MIHAILESCU 

Abstract. Two rational primes p, q are called dual elliptic if there is an el- 
liptic curve E mod p with q points. They were introduced as an interesting 
means for combining the strengths of the elliptic curve and cyclotomy primal- 
ity proving algorithms. By extending to elliptic curves some notions of galois 
theory of rings used in the cyclotomy primality tests, one obtains a new algo- 
rithm which has heuristic cubic run time and generates certificates that can 
be verified in quadratic time. 

After the break through of Agrawal, Kayal and Saxena has settled the 
complexity theoretical problem of primality testing, some interest remains for 
the practical aspect of state of the art implementable proving algorithms. 



1. Introduction 

Primality testing is a discipline in which constructions of objects in fields of 
positive characteristic p are mimicked in algebras over rings Z/(n • Z) for integers 
n which one believes to be prime, and of whose primality one wishes to have a 
proof. The constructions should then allow an efficient computation and be based 
on operations which have the property of either yielding results over Z/(n • Z) or 
else display a factor of n or at least a proof of its compositeness. 

In the simplest cases, the constructions restrict to simple verifications. Fermat's 
"small Theorem" stating that a^~^ = 1 mod p for rational primes p and bases a 
not divisible by p, is the first ingredient used for fast verification of primality of 
integers n. In the simplest version of the idea, the Fermat pseudoprime test, to 
base a checks a"~^ = 1 mod n and returns "composite", if the congruence is not 
verified. If it is verified, only probabilistic statements can be made about primality 
of n. 

Stronger statements are obtained when one has sufficient information about the 
factorization of n — 1. For instance, if there is a prime q\(n — 1) and q > i/n, 
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while (a*^"^"'^-'/'' — l,n) = 1 and a"^^ = 1 mod n, then one easily proves that n is 
prime. This test constructs a primitive g— th root of unity modulo n, in the sense 
that '^q{a) = mod n with a = a'"~^''/'rem n and the q— th cyclotomic 

polynomial. Tests of this type are known under the name of Lucas - Lehmer tests. 
They share the feature, that one proves that a certain number a G (Z/n • Z)* is a 
primitive q—ih root of unity for some q > -y/n - so it generates a cyclic subgroup 
of (Z/n • Z)* which is, by its size, incompatible with the hypothesis that n is be 
composite. 

The idea was generalized, freeing it of the requirement for a priori knowledge 
of large factors of n — 1. This is made possible by working in larger extensions of 
Z/(n • Z) and using more involved properties of rings in cyclotomic fields and the 
related Gauss and Jacobi sums. The resulting algorithms are currently denoted by 
the generic name Cyclotomy Primality Proving (CPP). They originate in the work 
of Adleman, Pomerance and Rumeley [T] and were improved by Lenstra et. al. [3T], 
|23) . [22] , [8], [26j. Their main idea is to building a frame - a Galois algebra 
over Z/(n • Z) - in which a factor 'i>{X)\^s{X) mod n can be constructed for some 
large s and such that, if n is prime, the factor is irreducible. The definitions of 
the Galois algebras in which the test take place have undergone some variations 
[SI [301 [53] since their introduction in [22]. 

The name CPP covers an unconditionally deterministic variant and one which is 
deterministic under assumption of the ERH, as well as a Jacobi sum and a Lucas 

- Lehmer variant; all the variants may well be combined together. The CPP test 
provides a proof of the fact that the s— th cyclotomic polynomial ^s{X) G Z[X] 

- for some special, large and highly composite integers s - factors modulo n the 
way it should, if n were prime. If this is the case, primality of n follows, or the 
existence of some prime factor 

(1) r G {n* rem s : i = 1, 2, . . . , t = ords(n)}. 

The algorithms of CPP are de facto fast, competitive primality proving algo- 
rithms, but they have the complexity theoretical intolerable feature of a provable 
superpolynomial run - time 

(2) O (log(n)'°s'°si°g(")) , 

which is in fact the expected size of i in ([!]) . 

The use of elliptic curves was first proposed for primality proving by Goldwasser 
and Kilian |18j in an algorithm which was proved to be random polynomial up to 
a possible, exponentially thin, exceptional set. The algorithm was made computa- 
tionally practical by Atkin [3] who suggested a method of determining the expected 
number of points on an elliptic curve, by using complex multiplication. It now runs 
under the generic name ECPP (Elliptic Curve Primality Proving) and was first 
implemented in 1989 and continuously improved since then, by F. Morain [32j . 

The algorithms we present in this paper build up upon the idea of Atkin on 
the one hand, on extending the use of Galois rings to the context of elliptic curve 
primality proving and, finally, on a novel concept of dual elliptic primes. These 
are loose relatives of twin primes in imaginary quadratic extensions and allow to 
combine the worlds of CPP and ECPP in a new algorithm that we call CIDE. 
The fundamental gain of CIDE consists in eliminating the alternative ([T]) in CPP, 
thus yielding a random polynomial algorithm, which is practically an improvement 
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of both CPP and ECPP. We note that the computation Jacobi sums, which was 
an other superpolynomial step in CPP, can be solved in random polynomial time 
thanks to the novel algorithm of Ajtai et. al. [3]; in practice, the computation of 
Jacobi sums can be solved in very short time using their arithmetic properties and 
a PARI program for finding generators of principal ideals. Herewith CIDE is faster 
by a factor of log(n) then either version of ECPP; i.e. the 18J, which is slower but 
has a proof of random polynomial run time for almost all inputs, or FastECPP 
|36j . which runs de facto in time O ((log(r7,)''+^) , but the run time proof uses some 
heuristics. Unsurprisingly, the same kind of proofs can be provided for the two 
versions of CIDE: this is due to the fact that the first step of finding a pair of dual 
elliptic pseudoprimes requires running one round of some version of ECPP. 

The structure of the paper is the following. In the next section we give some 
general definitions and facts related to elliptic curves over finite fields, complex 
multiplication and ECPP. In the third section we develop a theory of elliptic ex- 
tensions of galois rings, which is a natural analog of cyclotomic extensions used in 
CPP [28j . Section four brings the definition of dual elliptic primes and their pseu- 
doprime counterparts and the basic properties of pseudoprimes which are going 
to be exploited algorithmically in the subsequent section. Finally, section six gives 
run time analysis and implementation data and in section seven we draw some brief 
conclusions. 



2. Elliptic curves and related pseudoprimes 

If K is some field, the equation Y'^ = + AX + B, with A,B;X,Y e K and 
the discriminant A = AA'^ + 27 B^ ^ 0, defines an elliptic curve over K. We denote 
it by 

(3) £k{A, B) = { {X,Y) -.Y^ = X^ + ax + B }, 

or simply £ when there is no ambiguity. The elements P — (X, Y) ^ £ are points 
and the curve is endowed with an addition law, R ~ P (B Q defined by 

^; a; 

(4) A = 5^±^, for P = Q, 



y 

R, = A2-(P, + Q,), Ry = XR^ + iPy~XP^). 



We let 



KP, Q) 



Q^^P^ iiP^Q, 
2Py otehrwise 



The neutral element is the point at infinity D and P (B Q = O iff fi{P, Q) = 0; the 
inverse of P = {X, Y) is —P = {X, — Y). This makes £ into an abelian group - see 
also [H], §2.2. The k - fold addition of a point with itself is written [k]P and can 
be expressed by explicite polynomials over K: 

rn{p.y 'i^iiPx) 

see |41| . Theorem 3.6, where the Y coordinates are given by some bivariate poly- 
nomials. These can be reduced to mono-variate ones as above. 



(5) ( ^.5^77^0' with 0„,V'„,a;„eZ[A,i?], 
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The k - torsion of £k{A, B) is the set 

SwXA,B)[k] = : [k]P = D}. 

Note that the torsion if defined over the algebraic closure; if the characteristic is 
or coprime to k, then £k(A, B)[k] = Z/(fc • Z) Z/(fc • Z), e.g. [H], Chapter 3. 
Furthermore, the torsion is related to the zeroes of ipkiX) by 

(6) £k{A, B)[k] = {P e S^S^, B) : Vfe(P.) = 0.} 

In algorithmic applications, the field K is a finite field. Here it is mostly a prime 
field ¥p, with p a rational prime and we write = £p- In this case, the size of the 
group is bounded by the Hasse interval 

It is useful to consider the addition law of elliptic curves also over rings Z/(n-Z), 
with n a rational integer, which needs not be a prime. In such cases the addition 
law is not everywhere defined, but it turns out that exactly the points P, Q for 
which P © Q is not defined are of great algorithmic use. The application of this 
generalization are found in factoring and primality testing. Since the conditions 
which are given in fields by T - e.g. for T = IJ,{P-, Q) or T = A - are replaced 
by GCD computations and the requirement that T £ (Z/n • Z)*, whenever such a 
condition is not met, a possible non trivial factor of n is found. Thus the fact that 
addition is not defined in such a case turns out to be an advantage rather then a 
nuissance, since finding non trivial factors achieves the goal of the algorithm. 

Formally, for a given n S N>i one lets 

(7) £n{A,B) = {{X,Y)e{Z/{n-Z)f ■.Y'' = f{X)}, with 

fix) = X^ + AX + B 

where A,B e Z/{n ■ Z) are such that AA^ + 275^ e (Z/n • Z)*. Addition of two 
points is defined by ^ whenever /i(P, Q) E (Z/ti • Z)*. Certainly, the pair ©) 
does not define a curve in the sense of algebraic geometry and is not even a group. 
We may however and shall refer to the set of points £n{A, B) as the elliptic curve 
with parameters A^ B over 'L/{n -"L) and use the partial addition on this curve. 

In primality testing we have the usual ambiguity consisting in the fact that the 
curves £„ which we use are defined in the sense of ((T]); if a test for n completes 
successfully, they turn out to be proper curves in the sense of algebraic geometry, 
defined over the field F„. Otherwise, non trivial factors of n or other contradictions 
to the hypothesis that n is a prime may be encountered in the process of a test. 

Due to (O, the k - fold addition can be uniquely defined for any P £ f„(A, B) 
such that ipkiPx) G (Z/n • Z)*; it does not depend on particular addition chains 
for k. Note that since A, B E Z/ {n ■ Z) and ipk £ "^iA, B], the division polynomial 
"ipkiX) £ Z/(n • Z)[X]. Let the k - torsion in this case be 

£niA,B)[k] = {P££,,{A,B) : iMPx),n) ^ 1}. 

We say that a torsion point P £ £n{A,B) is proper, if {^k{Px),n) = n; for an 
improper k - torsion point, an algorithm using k - multiplication on SniA, B) would 
end by featuring a non trivial divisor of n. 

Note that unlike the field case, we have only defined torsion points of £n{A, B) 
which lay in (Z/(n-Z))^. For the general case, we need a substitute for the algebraic 
closure of a field. For this we define the following formal algebras: 
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Definition 1. Let pk{X)\iljk{X) be a polynomial such that {pk{X),ipi{X)) — 1 for 
i < k. We define a k-torsion algebra R and the two points k-torsion algebra R' 
by: 

(8) R = 'L/{n-Z)[X]/{pk{X)) and 6 = X mod pfe(X) e R, 
R' = R[r]/ [Y^ - /(e)) , ^ = Y mod (F^ _ /(e)) g R'. 

In an two points torsion algebra R', the pair P = (0,il) G R'^ verifies by 
construction the equation of £„(^, B) : — f{X). 

We claim that the iterated addition [i]P is defined for P and each i < k. Indeed, 
if this were not the case for some i < k, there is a prime p\n and a maximal ideal 
!P C R' containing p, such that [i]P mod = Dp, the point at infinity of the curve 
£-^{A mod p, B mod p). This contradicts the premise {pk{X),ipi{X)) = 1, thus 

confirming the claim. It follows that the points [i]P £ R'^ are k - torsion points in 
the two points algebra 0- 

There is a unique monic polynomial gi(X) e Z/{n-Z)[X] ofdegree< deg{ipk{X)), 
such that iJjUX) ■ 9t{X) = 0,(X) mod V'fc(X). Then g,{e) = {\i]P)x, by since 
= 0. We have thus: 

(9) 5,(9) = (HP),, with P=(e,0)eR'^ 

A size s {£„) will be the result of some algorithm for computing the number of 
elements of an elliptic curve in the case when n is prime. The size may depend upon 
the algorithm with which it is computed. Two approaches are known: the variants 
of Schoof's algorithm [35] and the complex multiplication approach of Atkin [3]. 

We can herewith extend some notions of pseudoprimality to elliptic curves: 

Definition 2. Let n be an integer and £„(yl, _B) a curve with size ni. We say 
that n is elliptic Fermat pseudoprime with respect to this curve, if there is a point 
P€£niA,B) G£r,iA,B)[m]. 

Furthermore, ifq\m is an integer, we say thatn passes an elliptic Lucas - Lehmer 
test of order q (with respect to £'„(A, B) ), if there is a point P € £n{A, B)[q]. 

The test of Goldwasser and Kilian [T^, which is the precursor of ECPP, can 
herewith be stated as follows: given n, find a curve SniA, B) with a size m divisible 
by a probable prime q > {p^^'^ + 1)^ and show that n passes a Lucas - Lehmer 
test for q. If q is an actual prime, then the test implies that n is also one. So one 
iterates the procedure for q, obtaining a descending chain which reaches probable 
primes of polynomial size in 0(log(n)) steps. In [18] sizes are estimated using the 
algorithm of Schoof . Even in the much faster version of these days [9] , this would 
still yield an impractical algorithm. It does have the advantage of a provable run 
time analysis. 

If the field K = Fg is a finite field of characteristic p, then the Frobenius map 
: X 1—^ X'^ is an endomorphism of £f {A, B) and verifies a quadratic equation: 

(10) <i>l~t^q+q^O 

in End (^£f (A, B)j , as shown for instance in ^39j, p. 135. The number t is related 
to the size of the group £ over ¥qhy \£q\ = q + l — t. In particular, ifq — p — TT-lf, 



We are not interested here in the problem of constructing algebras which contain, like in the 
field case, two linear independent torsion points. 
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for ttO C K, the "CM field" of £ (see below), then t = Tr(7r), [13J Chapter 14, in 
particular Theorem 14.6 . 

The Frobenius acts as a linear map on £q{A, B)[k]. If fc = is a prime, £[£] is a 
vector space and there is a matrix Me{^q) E GL2(F£) associated to the Frobenius 
modulo £. The reduced equation (fTO|) modulo £ is also the characteristic polynomial 
of M,($,). 

If (5 = — 4g is a quadratic residue over : (|) = 1, then the equation (fTU)) 
has two distinct roots mod£, which are the eigenvalues Ai,2 G of the Frobenius. 
Accordingly, there are points Pi, 2 E £q{A, B)[£] such that 

^q{P,) = [X,]P,, Z=l,2. 

In the context of algorithms for counting points on elliptic curves [38| . the 
primes with (I) = 1 are often referred as Elkies primes, while all other primes are 
Atkin primes. In this case, to each eigenvalue there corresponds an eigenpolynomial 
defined by 

(i-l)/2 

(11) F,iX)= n iX-{[k]P,)Je¥q[X], z^l,2. 

k=l 

Here {[k]Pi)^ is the x - coordinate of the point [k]Pi. Various algorithms have 
been developed for the fast computation of the eigenpolynomials, without prior 
knowledge of the eigenpoints or eigenvalues; see for instance 9 for a recent survey. 

2.1. Complex Multiplication and Atkin's approach to ECPP. We recall 
some facts about complex multiplication and refer to [iZl , Chapter 14 and [39], 
Chapter V, for more in depth treatment. 

Fact 1. Let p be a prime and £p{A, B) be an ordinary elliptic curv^. Then there 
is a quadratic imaginary field IK = Q{\/—d) and an order O C K such that: 

1. The endomorphism ring of £p{A, B) is isomorphic to O. 

2. There is a tt £ O such that p ^ n -n and the number of points 

(12) \£p{A,B)\^N{TT±l), 

the sign being defined only up to twists. 

3. If Ho{X) € Z[A] is a polynomial which generates the ring class field H of 
O, i.e. M = K.[X]/ {Ha{X)), then Ho (X) splits completely modulo p. 

4. There is a zero jo G H 0/ the polynomial Hq{X) and an elliptic curve 
fH(a, ^) defined overM such that: 

a) The j -invariant of £^{a,b) is jo, of r{jo) with r{X) e Q{X). 

b) Its endomorphism ring is isomorphic to O and 

c) The curve has good reduction at a prime p C O(EII) above (p). 

d) The reduction is £p{A, B) and it is a direct consequence of CM, that 
£p{A, B) is ordinary. 

Under these circumstances, the curve £m{o,, b) is unique and is called the 
Deuring lift of £p{A,B). 
In O , the prime p splits in principal ideals in O if and only if 3. holds - see e.g. 
|13j Theorem 9.2 for the case when O is the maximal order. In particular: 

(13) p = TT • 7f with TT eO ^ 3 X e¥p : Hoix) ^ 0. 



'a curve is ordinary if it is regular and not supersingular, | 41| . p. 75 
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Thus the endomorphism ring associates an order in an imaginary quadratic field 
to an ordinary eUiptic curve over a finite field - the association being actually 
an isomorphism of rings. Non- isomorphic curves can be associated to one and 
the same order. This fact allows to construct curves over a finite field Fp which 
have a known endomorphism ring and thus the size may be derived directly from 
(fT2|) . The algorithm involves the construction of polynomials Ho{X) for various 
orders of small discriminant until one is found which splits completely modulo p. 
The methods for computing Ho{X) have been subject of investigation for over a 
decade; see 33 for an in depth treatment and [S] for current improvements. The 
advantage of this approach, is that curves with known size can be computed faster 
then by using the best versions of Schoof 's algorithm for computing the size of a 
given curve. Thus although this approach is not used for finding the size of a given 
curve, it is sufficient for some application where it suffices to know some curve 
together with its number of points. 

The idea of Atkin was to produce similar associations for curves B), with 

n not necessarily prime, and to estimate their size using the equation in (|12p . In 
order to produce such an association, one uses algorithms for finite fields. The 
construction may thus stop with a contradiction to the hypothesis that n is prime. 
Otherwise it is expected to produce an order O C d] in which n factors in 

principal ideals n ^ v - V : ly E O and such that Ha{X) has a linear factor in 
Z/in-Zi). Furthermore, it produces a curve £„(yl, _B) with Atkin size m — N(i'±l) 
as suggested by (jl2l) . Several discriminants d are tried, until it is found by trial 
factorization that m is divisible by a large pseudoprime q. Finally, a point P G 
£n{A, B) is sought, such that ipq{Px) ^ (Z/n-Z)*. If P is not a proper g— th torsion 
point, a non trivial factor of n is found and the algorithm terminates. Otherwise, 
if q is in fact prime, then so must n be, by the Lucas - Lehmer argument. This 
leads to an iterative primality proof, like in the case of Goldwasser and Kilian, but 
with a faster estimation of the size. However, since the discriminants d must have 
polynomial size, the curves taken into consideration are not random. Unlike the 
case of ^18, , the fact that one can find in polynomial time a discriminant such that 
the above conditions hold is supported by heuristic arguments. Such arguments are 
given in |17| . 

We introduce the following notion of pseudoprimes, related to the above algo- 
rithm: 

Definition 3. Let n be an integer and £n{A-,B) be an elliptic curve (with partial 
addition), K = Q{^—d) be a quadratic imaginary field and O C K some order. We 
say that (£„(j4, _B), O) are associated if the following conditions are fulfilled: 

1. The integer n is square free, there is a v E O such that n = v - V, and 
(14) {n,v + V) = l. 

2. There is a polynomial Hq{X) G Z[X], which generates the ring class field 
H of O, I.e. H = K[X]/ {Ho{X)) and which has a zero jq G [Z/n ■ Z)*. 
Furthermore, the j - invariant of £„ (A, B) is a rational function in jq . 

Remark 1. We refer the reader to [4l[T5l[l6| for details on techniques for choos- 
ing the polynomial Ho- It should be mentioned that the modular equation is a 
theoretical alternative for the polynomial Ho{X), and it has the j - invariants as 
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zeroes; however, from a computational point of view, the modular equation is im- 
practical, having very large coefficients, so one constructs alternative polynomials 
which generate the same field. 

Based on the associations of curves and orders, one defines Atkin pseudoprimes 
as follows: 

Definition 4. We say that n is Atkin pseudoprime, if 

• There is a curve £„(A, B) associated to an order O C K = Q[\/^d] accord- 
ing to the above definition. 

• The Atkin size of £n{A,B) is m ~ N(i/ ± 1) and is divisible by a strong 



In all versions of the ECPP test, one seeks a random curve whose size is divisible 
by some large pseudoprime q. When the parameters A,Bg Z/(n • Z) are chosen 
uniformly random. In this case, if n is a prime, it is known that the sizes of the 
curves are close to uniform distributed in the Hasse interval [14], Theorem 7.3.2. 
This fact is useful for the run time analysis of the Goldwasser - Kilian test. 

Atkin's test builds descending sequences of Atkin pseudoprimes n,q,..., until 
pseudoprimes of polynomial size are reached. The discriminant — d of the field 
IK must be polynomial in size, which is an important restriction for the choice 
of O. For prime n, the density of the curves with CM in fields with polynomial 
discriminant is exponentially small. Thus Theorem 7.3.2 does not hold and there is 
thus no proof for the fact that ECPP terminates in polynomial time even on almost 
all inputs. 

We note the following consequence of condition 2.: 

Lemma 1. Suppose that n > 2 is an integer for which there exists an association 
(£„(A, _B), O) according to Definitions^ and let p\n be a rational prime. Then 
£p{A, B) with A = A rem p, B = B rem p is an elliptic curve over the field ¥p with 
CM in O and p splits in principal ideals in this order, say p — -k -tt. 

Proof. The curve £p{A,B) is defined by reduction modulo p. The polynomial 
Ho[X) has a root jo S Z/(n • Z) and thus Jq = jo modp is a root thereof in 
Fp. The i invariant will then be a rational function of this value. Then (|13p implies 
that p = TT -n. □ 



The Jacobi sum test [TJ [5T] , which is the initial version of CPP is based on the 
use of Gauss and Jacobi sums. Over some field K, these are classical character 
sums, see e.g. Chapter 8. In primality testing however, the images of the 

characters are taken over some ring Z/(n • Z) which need not be a field. We need 
thus a dedicated context of cyclotomic extensions of rings for the definition of these 
sums. 



Since q\m, a q torsion point should be found in the curve over Z/(ri • Z), if n is prime, so the 
condition is consistent. 




• There is a proper q - torsion point P G fn(A, B 
The pseudoprime n is thus given by the values 

{n-{£^{A,B),0)-P,q). 



3. Gauss sums and CPP 
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Since their definition by Lenstra |23j , cyclotomic extensions have undergone var- 

ious modifications [H [26l EH [24] until the recent "pseudo-fields" [SUES]. We shall 
follow use here definitions given in [51 . Proofs of the facts we shall need are in 
[2i[27]. 

Let n G N be an integer and consider rings of characteristic n, more precisely 
finite Abelian ring extensions R D Z/(n-Z). Galois extensions f27] are simple alge- 
braic extensions of the form R = Z/(n-Z)[T]/(/(T)) endowed with automorphisms 
which fix Z/(ri • Z). We are interested in the simple Frobenius extensions defined 



Definition 5. Let R 6e a finite commutative ring of characteristic n and ^{X) € 
'R[X] a monic polynomial. We say that the ring extension R = Z/(n-Z)[X]/(^'(X)) 
is simple Frobenius if: 

Fl. There is at > Q such that 



F2. Let Xi — e A. There is a a £ Ant ■^/'L/ [n ■ Z) acting like a cyclic 
permutation on S = {xi^X2t ■ ■ ^Xt} ■ 

Let s £ Z>i and ^s{X)iji'Z,[X] be the s—th cyclotomic polynomial. Lf ^!{X) £ 
Z/(n-Z)[Ar] is a polynomial with ^s(X) = mod (n, ^>{X)) and the extension R ~ 
Z/(n-Z)/(5'(Ar)) is simple Frobenius, we say that (R, C, (t) is an s—th cyclotomic 
extension of 'E/{n ■ Z). 

In general, i/ R D Z/(rt • Z) is an algebra and ( £ A is such that ^s{C) = 0, 
with $s(A") = ^s{X) mod n, then we say that is a primitive s—th root of unity 
modulo n. 

Remark 2. The reader may regard a cyclotomic extension R as an extension of 
the ring Z/(ri • Z) which contains a primitive s—th root of unity ^ and on which an 
automorphism acts, that fixes Z/(ri • Z). One can prove - without knowing that n is 
prime - sufficient properties about R in order to be allowed to work in the extension 
as if it was a finite field and n were a prime - this behavior justifies the name of 
pseudo-fields recently employed by Lenstra. 

The pairs (n, s) for which cyclotomic extensions exist are exceptional. The exis- 
tence of such pairs is a strong property of n with respect to s, that often qualifies n 
to behave like a prime. The following fact reflects this claim: an s—th cyclotomic 
extension of Z/(n • Z) exists if and only if 

(15) r £ {n mod s) for all r \ n . 

Let p be an odd prime and k{p) — Vp (ti^^^ — l), with Vp the p-adic valuation. 
If it exists, a p—th cyclotomic extension of Z/(n • Z) may contain also a p''^P^—th 
primitive root of unity; this is in fact true if n is a prime. This leads to the following 

Definition 6. Let p be a prime. The saturation exponent of p is: 



by: 




where C = X + {"^(X)) £ R. 



V2{n^-1) 



if p = 2 and n 



1 mod 4 



(16) 



Hp) 




n 



l) otherwise 
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Let m = Hi pf'^ en be the prime factorization of an integer. The (rt-)saturated 
order above m is: 



An TO— th cyclotomic extension (R, cr, Q is called saturated if m > m and subsat- 
urated otherwise. If e(i) = k(pi) for all pi \ m, the extension is minimal saturated. 

Saturated extensions are characterized by the foUowing property: 

Fact 2. // (R, cr, C) is a saturated to— th extension and m' \ for some h > 
(i.e. m' is built up from primes dividing m), then R[X]/(X'" ~ C) is an m-m'— th 
cyclotomic extension. 

If (R, cr, C), (R'j cr', C) are saturated to— th and to'— th extensions for (to, to') = 
1, then (R x R', a o a' ,C, ■ C,') is a saturated mm' ^ih extension, for the natural lifts 
of a, cr' to R X R' . 

The use of saturated extensions in primaHty testing is given by the foUowing 

Lemma 2 (Cohen and Lenstra, [llj). Suppose that p is a prime with {p,n) = 1, 
for which a saturated p—th cyclotomic extensions ofZ/{n ■ Z) exists. Then for any 
r\n there is a p-adic integer lp{r) and, for p > 2, a number Up{r) G Z/((p— 1) • Z), 
such that: 

r = n^'''^'''^ mod p and 

(17) r'P-^ = (7iP-i)'^('-) e {1+p-Zp} if p>2, 

r = n'''^''' e {1 + 2 • Z2} if p=2. 

Proof. Using (fT5|) . the hypothesis impUcs that r E < n mod p'^ > for all fc > 1 
which implies (fT7|) . □ 

Gauss and Jacobi sums over Z/(n • Z) will be defined by means of characters 
over saturated extensions. Let p, q be two rational primes which do not divide n, 
let fc > and (R, C, a) be a saturated p*^- th extension which additionally contains 
a primitive g— th root of unity ^; the ring R need not be minimal with these 
properties. Let x be a multiplicative character x '■ C^/q • 2)* ^< C > of conductor 
q and order d\p''. If d — 1, x is the trivial character 1. The (cyclotomic) Gauss 
sum of X with respect to ^ is 

r(x) = E 

xe{I,/q-Z)* 

It can be shown that t(x) £ R^ , since t{x) ■ t{x~^) = x(~l) ■ Q- For a,b e 7., such 
that x": X*": x""^^ 7^ 1; the Jacobi sum 

j(x ,x ) = 2^^x i^)x (1 - ^) - ^(^a+fa) ■ 

The multiple Jacobi-Sums Ju{x) S'l'e defined by: 
Ji = 1 

(18) J,+i = J. -jXx-X'O, fori. = l,2,...,d-2 
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It is easy to verify by induction that: 

(19) J, = forz. = l,2,...,rf, where ^ 

Let s — riggQ 9 be a product of primes from the set Q such that there is a i = 
Ylpkfzpp'^ with P a set of prime powers and for aU q G Q, q—l\t. Let R be the prod- 
uct of saturated p'^— th cyclotomic extensions and C = {xpf^.q '■ G P^q G Q} 
be a set of characters of conductor q and order with images in R. If n = 
b{p^) -p^ ~\-r{p^) is the Euchdian division of n by each p*^, it can be shown [51 [^[^ 
that a cyclotomic s— th extension of Z/ (n • Z) exists if 

(20) Jpi^ '(Xp\g) • ^r(p'=)(Xp^<^) e< Cp'' >, for each x € C. 
Verifying these relations is the main stage of the CPP test. 

Remark 3. Due to an analytic number theoretical Theorem of Pracher, Odlyzko 
and Pomerance, one knows that two parameters s, t can be chosen, such that s > ^/n 
andt = (log(n)'°si°siog(n))^ ^hn^, s|(^t _ i) y^^ ^^y n. The complexity of CPP 
is polynomial in t; both the number of prime powers dividing t and their size are 
upper bounded by 

(21) B = 0(loglog(n)), uj{t) < B and p''\\t^ p'' < B. 

We shall use an auxiliary construction involving dual elliptic primes in order 
to show that if n passes the tests ([20)) together with some additional conditions - 
which are more involved to formulate, but can be verified faster then (|20p - then 
either n is prime, or it has a prime factor r with Ipk (r) — 1 for all p'' G P. 

The constructions involve elliptic Gauss and Jacobi sums, which we shall in- 
troduce below. We first define the simples analogue of cyclotomic extensions for 
elliptic curves. 

Definition 7. Let n > 2 be an integer and £ )( n be an odd prime. Let £n{A, B) be 
an elliptic curve and 4'£{X) be the i—th division polynomial of the curve. Suppose 
that F{X) e Z/(n • Z)[X] is such that 

1. F{X)\MX). 

2. //E = Z/(n • %)[X]/{F{X)) and Q = X mod F{X) € R, then 

{t-l)/2 

F{T)^ n iT-gmi 
i=i 

where gi{X) are the multiplication polynomials defined in (0^. Ln particular 
the elementary symmetric polynomials of O lay in Z/(7i • Z). 

Then F(X) is called an Elkies factor of 'ipi{X) over Z/(n • Z) and E is an 
Elkies ring. Additionally, we let 

E' = E[Y]/ _ /(e)) and n^Y mod (/(O) G E' 

be the two coordinates Elkies ring. 

Let (R, C, a) be a saturated £— 1— th cyclotomic extension and x ■ (Z/€-Z)* — > R 
be a multiplicative character of odd order. We define Gauss sums in Elkies rings 
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by: 



t-i 



In the case when the order of x is even and x(~l) = ~li the sums above are van- 
ishing due to the parity of ■ One uses the Y - coordinates in the two coordinates 
Elkies ring, and some related multiphcation polynomials. The formal definition 
based on repeated addition of P = (8, il) in E' is in this case: 



The values of ([x]P)y can be computed using 17 and polynomials in 0; we skip 
the details here and refer to [29l [30] for in depth treatment of theoretical and 
computational aspects of elliptic Gauss and Jacobi sums. 

The Jacobi sums have no closed definition like in the cyclotomic case, so they 
must be deduced as quotients of Gauss sums: 



The case t^^^{x) ^ is improbable, but cannot be excluded currently. This is 
best explained in the case when n = r is a prime. Then £r{A, B) has a Deuring lift to 
some curve £"11(0, b). The Gauss sums of curves in characteristic have been studied 
by R. Pinch in }37| and it was shown that along with the ramified primes dividing 
£ • A, where A is the discriminant of the curve, some spurious and unexplained 
primes may appear in the factorization of the Gauss sum. Since A reduces to the 
discriminant of the curve £r{A^ B) which is non vanishing by definition and ^ ^ r, 
the spurious primes may be divisors of r, in which case Tf,{x) ^ E^. If n is not 
prime and (Te(x), n) ^ {1, n}, a non trivial factor is found. We shall assume in our 
algorithm that the case (Te(x),'T-) = n\s scarce. It can be avoided by changing the 
choice of as we shall detail below. If £ is a conductor, such that (Te(x),«-) — n 
for some character of conductor f , then we say that ^ is an exceptional conductor 
(for the curve £„(A, B)). 

If n = r is a prime, then Q"^ — gx{Q) for some A € (Z/^ • Z)*, an eigenvalue of 
the Frobcnius. In that case, raising the definition of the Gauss sum to the power n 
yields: 



Y 



i=l 



Jeix'',x') 



Te(X°)Te(X^) 



iffT-e(x"+') eE 




e-1 



Y.x''{x)9xA&}^X-''Wre{xl 



and 



(22) 



reixr/Te{xl=X-''W- 



The right hand side of the equation can be computed, like in the cyclotomic case 
by using multiple Jacobi sums in R. 
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4. Elliptic extensions of rings 

In this section we generalize the notion of cyclotomic extension of rings to elhptic 
curves. We shah say that an Elkies algebra is elliptic extension of Z/(n • Z), if the 
power n acts like a Frobenius, i.e. (j22p is verified when the prime r is replaced 
by n. Note that this is a slightly milder condition then the one for cyclotomic 
extensions, since we are not interested in finding an actual factor of F(X) which 
has degree equal to the order of n in the group {Z/£ ■ Z)*/{— 1, 1}, i.e. the degree 
of an irreducible factor of F{X) in the case when n is prime. 

Definition 8. Let ni G N>2 he an elliptic Atkin pseudoprime: there is a curve 
£„i{A, B) : Y'^ = + A ■ X + B associated to an order O C K = Q{^/^) and 
such that m = II -Ji for a fi £ O. Let £ be a rational prime such that {-p) — l- 

A. For each prime power q\\{i— 1), there is a saturated q—th cyclotomic exten- 
sion Hq D Z/(m-Z). The rings R— g will also be called working extensions. 

B. There is an £—th cyclotomic extension He D Tjjim ■ Z) constructed by 
verifying I120\) over the extensions Rg. 

C. In particular, then 

(23) r = n^p^"^^ mod for p\q a prime and for all r\m. 

Let ipfXX) be the £~th division polynomial associated to £m{A, B) and suppose that 
an Elkies factor F(X)\ipe{X) mod m is known and (E', f2) is the two coordinates 
Elkies algebra. For a prime power q\\{£ — l)/2 we let Xq ■ (Z/€ • Z)* — > R 6e a 
character of order q and conductor £. Suppose that: 

1. For each odd q, (Te(x),n) — 1 and 

(24) r,(x)7re(x") - % e< C > . 

2. For even q, (rg(x),f^) — 1 and 

(25) <(x)7r^(x") = ^'re<C>. 

// the above conditions are met, we say that an f — th elliptic extension 
of'L/{n ■ 1) related to R exists. The conditions Xq{^) = for odd q and 
Xg(A) = for even q uniquely determine Am S (Z/^ • Z)*. This value will 
be denoted as the eigenvalue of the elliptic extension E. 

The point C. of the definition is a fact following from points A. and B. and not 
a condition. The main fact about elliptic extensions is the following: 

Theorem 2. Let n G N>2 be an integer and £ a prime not dividing n. If all the 
conditions for existence of an £—th elliptic extension ofLjin ■ Z) are fulfilled and 
r\n is a prime, £r{A, B) = £„{A, B) mod r, then 

A. The curve £r{A,'B) has CM in O and 'F(X) = F{X) mod r is an Elkies 
factor of its th torsion polynomial. 

B. There is an eigenvalue Xr G of the Frobenius of £r{A,B) such that 
P'' = [\r\P for all points P G £r{A,'B)[£] such that ^{P^) = 0. 

C. // Am is the eigenvalue of the Elkies extension, p is the prime dividing q 
and lp{r) is defined by |_?7| j with respect to the extension R, then 

(26) XqiK) = X5(Am)'-''') Vg. 

(27) Xq{rlK) = X,(m/Am)'''('') Vg. 
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Proof. The point A. follows from Lemma 1. Point B. follows from the factorization 
patterns of the division polynomial, e.g. [38j, Theorems 6.1, 6.2. 

For proving (pS)) . we use the fact that R is a cyclotomic extension and let cr : 
C 1-^ C" ^-ct on the identities (124]) . The Y - component conditions (|25p are treated 
identically and will not be developed here. 

(28) = • a(ry-"re(x;')) = r?"^"' • ct\t,{x,)), . . . 

Inserting k — (p{q) we obtain r"^*''"^ = ?7g and for K — p ■ (p{q), writing N = , 
we have 

If r I n is a prime, by ((22)) . 

re(x,)'^ ^ Xg(A.)-'' • (Te(x;)) mod r • R. 

Let m S N be such that m = lp{r) mod and m = ^^(r) mod (p — 1), with Up(r) 
and /p(r) defined by HT]). Then cr™(xg) = x'' and 

(29) ?;£(r - n™) ^ ^^(n"' • (r/n™ - 1)) > Wf(Ar - 1). 

We let i = TO in (USD, use cr"(re(xq)) = re(xp and divide by This is allowed, 
since {Te{xq),'n) = 1 by condition 1. Thus 

T,(x,)"'"-'^ = (x5(A,)-77-'")''modr.R. 

Raising this congruence to the power a, where a is the largest divisor of (iV — 1) 
which is coprime to £, and using the above, we get : 

1 = (x5(A,)-7]-")"°modr.R. 

Since (ra,£) = 1, we deduce that Xq{''')''lq "^ = 1 mod rR, and since {i,n) — 1 also 

Xq{^r)ilq™ = 1 and Xg(Ar) ~ "ffq ~ r\q'^'^^ . This holds for all primes r \ n and by 
multiplicativity, for all r\n. In particular, since lp{m) = 1, it follows that Xqi^m) = 
77q, thus recovering the definition of the eigenvalue of the elliptic extension. The 
proof of (HSl) is complete. As for ([271), it follows from ((261) and ([23]). □ 

The notion of elliptic extension for composites is now straight forward: 

Definition 9. Let L ~ JliLi G N &e square-free, with £i being primes. Assume 
that there is an ip{L)~-t]i saturated working extension Vj^ D Z/(to • Z) and an L— th 
extension R^ D r^. 

Suppose also that to is Atkin pseudoprime so there is a curve £m{A, B) associated 
to an order O C K = Q[\/— d] • We say that an L— th elliptic extension exists, if 
the conditions of Definition\^ are fulfilled for all ii in the working extension or 
subextensions thereof. 

Note that relation (p6|) is a strengthening of the consequence p = mod L, 
usual in classical cyclotomy tests. It follows from the definition and ([25)1 ([77]) that 

(30) = A^^('') mod L for kL{r) = lp{r), for aU p|(p(L), 

(31) {r/Xr) = (to/A™)''^^'') modL. 
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We shall combine this strengthening with properties of dual elliptic pseudoprimes, 
which we introduce in the next section, with the goal of eliminating the final trial 
division ([1]) in cyclotomy tests of a given pair of dual elliptic primes. 

5. Dual Elliptic Primes and Pseudo-primes 

We start with the definition of the dual elliptic primes, which is, as mentioned 
in the introduction, related to the notion of twin primes in the rational integers. 

Definition 10. We say that two primes p and q are dual elliptic primes associated 
to an order O C K = Q{\/—d), if there is a prime n £ O such that p = n ■ n and 
q — (tt + £)(7r + e) with e — ±1. 

Dual elliptic primes exist: In the ECPP program, a special flag was introduced in 
order to skip dual pseudoprimes, which do not reduce the size of the numbers to be 
proved prime; it happens regularly that the flag is set [31j . Furthermore, empirical 
considerations of Galbraith and McKee [ITj suggest they are sufficiently frequent, 
in order to develop efficient algorithms in which they are used. The problem of 
showing that dual elliptic primes have a satisfactorily asymptotic distribution is 
certainly much harder. 

We define in the spirit of pseudoprimality followed from the introduction, a pair 
of dual elliptic pseudoprimes as follows: 

Definition 11. Let ni and n he two strong pseudoprimes, O C IK = —d) an 
order in an imaginary quadratic extension and assume that there are two curves 
£m{A,B), £n{C,D) which are both associated to O in the sense of Definition\^ In 
particular, m, n are Atkin pseudoprimes. Furthermore, we assume that: 

1. There are a point P G £m{A, B)[n] and a point Q € £„(C, Z3)[m] and the 
(Atkin) - sizes of the curves are 

\£rn{A, B)\ ^ n, and \£n{C,D)\=m. 

2. The sizes m and n factor in O as 

(32) m — fiJI, and n — {fi + e) ■ {ii + e), with e = ±1. 

Note that from ^14^ we have that to, n are square-free. 

3. The polynomial Ho{X) has a root jm modulo m, and a root jn modulo 
n, and the curves £m{A^ B) , £n{C , D) have invariants which are rational 
functions in these values. 

4. Both TO and n have no prime factor p < 5. 

// these conditions are fulfilled, the pair (to, n) is called a pair of dual elliptic pseu- 
doprimes associated to the order O . 

Finding a point P on £m{A,B) can be done by adapting a trick of [H 8.6.3], 
thereby bypassing the problematic extraction of a square root modulo to. This 
works as follows: find xq mod m for which X = Xq + axo + b mod to is such that 
(A) ^ 1. Then P = (Axo, A^) is a point on the curve Y'^ ^ + AX^X + BX^, 
which should be isomorphic to { A, B) if m is actually a primeQ. 

Practically, dual elliptic pseudoprimes are found by featuring a pair of strong 
pseudoprimes (m, n); the pseudoprime test may consist in taking the roots 



I thank F. Morain for this observation 
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\/~d mod TO, ^—d mod n, operations which are anyhow necessary in the context. 
The integers m and n both spUt in a product of two principal primes in K, such that 
there is a pair of factors which differ by ±1. Once such pseudoprimes are found, 
the invariants jm , in must be computed by methods explained in |34| , [4] . Then the 
curves £m{A^B),£n{C,D) can be built and points on these curves are chosen as 
explained above. The points are used in order to perform an elliptic pseudoprime 
test, as required in point 1 of the Definition 1111 In practice one notes that, given a 
strong pseudoprime n, finding an appropriate order O and a dual elliptic pseudo- 
prime TO to n is a particular form of the first round of an elliptic curve primality 
test (ECPP) [34]. In particular, the heuristic arguments based upon [ITj suggest 
that this step requires cubic time. 

The easiest fact about dual elliptic pseudoprimes is the following: 

Lemma 3. Two dual elliptic pseudoprimes (to, n) associated to an order O are 
simultaneously prime or composite. Furthermore, if to, n are composite and O C 
K = Q(-\/— d), then for any prime divisor £\m ■ n there is a X ^ 0{K) such that 
£ = X-X. 

Proof. Assume to is prime. Then item 1. of the Definition [TT] requires also an 
elliptic Fermat primality proof for n. It implies that for any possible prime q\n, the 
curve £q{A, B) = f„(A, B) mod q has a point of prime order to > {^/n — 1)^. This 
cannot hold for primes q < ^/n and thus n is prime too. Conversely, if n is prime, 
TO is also prime by the same argument. This confirms the first statement. 

Suppose now that to and n are composite and ^ € N is a prime so that £\n, say. 
The condition (|14p implies that n is square - free and Lemma [T] together with point 
2. of the Definition [3] imply that I splits in a product of principal ideals of O, which 
completes the proof. □ 

We shall assume from now on, without restriction of generality, that e = 1 in 
the Definition [Tl] (note that changing the sign of e amounts to interchanging to and 
n). We prove that the tests required by the definition imply that, if dual elliptic 
pseudoprimes are composite, then their least prime factor has the dual elliptic 
prime property. 

Theorem 3. Let (m, n) be a pair of composite dual elliptic pseudoprimes associated 
to an order O C Q{^/—d) and let p \ m be the least prime factor of to. Then there 
is a prime factor q \ n, such that p, q are dual elliptic primes. 

Furthermore, if the prime q is not the least prime factor of n, then both m and 
n are built up of at least three prime factors. 

Proof. By Definitions [4] and [TTl there is a point P e £m{A, B) with [n]P = D. Let 
P = P mod p G £p{A, B) = £m{A, B) mod p; it has an order h\ n. If is a prime, 
then p, h are dual elliptic primes and the proof is completed. Let us thus assume 
that h is composite and q \ h \ n is the least prime dividing h, so h = q ■ u, with 
some M > 1. By the choice of q it follows that q^ < qu — h. We then consider 
Q € £n{C, D)[m] and the point 

Q = (g mod q) e £q(C,D) = (£„(C, D) mod q) , 
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which must have a non trivial order h' \ m, since Q is an m— th torsion point. The 
choice of p implies h' > p. Applying the Hasse inequalities to h and h' we find: 

(VP- 1)2 < h < u\ 

P < h' < + 

Thus, from the first two lines, q < ^/p + 1 < it + 2 and combining to the other 
inequalities we have: 

q-u< i^+lf < + 1 + 2^. 

After division by q, we find the following bonds on u: 

l<u< ivl±ll! + ^!i±^ < 1 + 4/g + 2/ V5 + 2u/q, 

q q 

and since q > 5, also 3m/5 < 3. This is impossible, since m > > 5 is an integer. 
Thus u = 1 and h = q is prime, which completes the proof of the second statement. 

We had chosen q as the least prime factor of h, the order of the point P G 
£p{A, B). We now show that if q is not the least prime factor of n, then n has more 
then two prime factors. Assume that q' < q is the least prime dividing n. By the 
proof above, there is a prime p' \ m such {q' ,p') are dual; also the premises imply 
that p' > p. Given the double duality, we have the following factorizations in 0{K): 

p = n -n ; q = p-p = {it + 6) [tt + S) 
p' = n'-W' ; q' = p' -p' = {n' + 6') (VTI^) , 

where S, S' = ±1 and tt and tt' can be chosen such that their traces be positive. 

We assume that m = p ■ p' and n = q ■ q' and insert the last equations in the 
factorizations of m and n in K: 

m = fi-Jl and fi = n ■ n' 

n = {p, + 1) ■ {-p + 1) and p + 1 = (tt + 5) • (tt' + S'). 

Subtracting the right hand side equations, we find I — S ■ S' = Sir' + S'tt. If S = S' , 
this implies tt + tt' = and /i is a square, li S = —6' then tt' — n = 26 and p = n + S, 
so p' = it' + S' = TT + 26 + 5' = TT + S = p, then v is a. square. But both p, u were 
assumed square-free, a contradiction which confirms that at least one of m and n 
must have three factors. 

Assume now that one of m, n is built up of two primes, say m = p ■ p' , while 
n = q ■ q' ■ q" . where q" is a factor which may be composite and q' < q < q";p < p' ■ 
By duality, we have g' > {y/p' — 1)^ and q" > q> 1)^, thus 

n = q-q' -q" >m-({p+l-2^)-{l- 2/^){l - 2/V?)) ■ 

For p' > p > 11 it follows that n > 1.367 m and m > 121, in contradiction with 
n < m + 1 + 2/\/m < 1.2 m. The remaining cases can be eliminated individually, 
using the fact that small primes 5 < p < 11 split in principal ideals only in few 
imaginary quadratic extensions, and in those cases, if p = tt • tt , then tt ± 1 is not 
prime. □ 

An immediate consequence is the following: 
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Corollary 1. Let (to, 71) be dual elliptic pseudoprimes associated to the order 
O C K = Q{^/—d) and k — k{m,n) — max{il{m) , fl{n)} , where n{x) denotes 
the number of prime factors of x, with repetition. Then there are two primes p \ to 
and q \ n such that: 

(33) |p — g| < 2-\/max(p, q) < 2^y^ max(m, n) < 2y^max{m, n). 

Proof. Suppose that to has k — k{m,n) factors and let p be its least prime factor, 
so p < m}l^ . Let q be the dual prime of p dividing n: the existence of q follows 
from the previous theorem. Then (|33p follows from the duality of p and q and the 
bound on p. □ 

We finally show that dual elliptic primes with two factors might exist. This leads 
to a formula which reminds formulae for the prime factors of Carmichael numbers. 

Theorem 4. Let (to, ri) be a pair of dual elliptic pseudoprimes associated to an 
order O C Q[^/—d] and suppose that both are built up of exactly two prime factors. 
Let m = fi-Jl and n — (/i + 1) • (/I + 1) be the factorizations of m and n in K. Then 
there is a prime tt, an element a Cz O and a unit S, such that: 

(34) = (tt + (5) • {an + S) and 

/i = TT ■ {a(n + S) + 5) . 

Proof. Let m = p ■ p' and n — q ■ q' he the rational prime factorization of to 
and n. Since to and n have only two prime factors, it follows from Theorem [3] 
that the least primes, say p, q must be dual to each other. So let p = tt • 7f and 
q = p - p = {n + S) ■ {n + S). 

Let also p' = tt' ■ tt' and q' = p' ■ p'. The size of £q' (C, D) = £n{C, D) mod q' 
divides to and it follows, after an adequate rearrangement of conjugates, that there 
is an e = ±1 such that p' + e is divisible by either tt or tt'. 

If the divisor was tt' we would reach a contradiction like in the last step of 
the proof of Theorem [3l Assume thus that p' = an — e, the divisor being tt. 
Symmetrically, n' = f3p + e' . First consider the splitting of v: 

/i+l = i^ = p-/9' = (7r + b^ian + e) = nian + ckJ + e) + 

Reducing the above equation modulo tt, we conclude that = \ and thus e ~ 8., 
both factors being ±1. Let us compare the two expressions for /i: 

^ = (an^ + 8[a + l)7r + 1) - 1 = 7r(/3(7r + J) + e') 

and, after dividing tt out, 

(a-/3)(7r + (5) =e'-,5. 

If e' = S, then a = f3 and the claim follows, li a (3, one can divide both sides by 
a -(3: 

n + S = ±^—, thus (a-/?)|(2). 

a — p 

Assuming that a — f] — ( £ 0{K)^ , one finds p = tt + (5 = 2^', for some related 
root of unity C'- This contradicts the fact that pp = i? > 5. 

Finally we have to consider the case when a — (3 £ O divides 2 and is not a unit. 
The only quadratic imaginary extension in which the prime 2 factors in principal 
ideals is K = Q[i]. Thus for K ^ Q[i] we must have a = f3 and the statement 
follows. Finally, if K — we substitute a — P = 1 ± j in the previous identity 
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and find solutions for tt, tt'; p, p' which are also of the shape ([34]) : this completes the 
proof. □ 

5.1. Elliptic extentions of dual elliptic pseudoprimes. Let {m,n) be a pair 
of dual elliptic pseudoprimes associated to an order O C K = Q{V—d) and 
£m{A, B), £n{C, D) be the respective curves. We have shown that to the least prime 
p\m there is a dual elliptic q\n and both factor into principal primes in Q(V— d); 
let p = TT • 7f and {t: + S){W + S) = q be these factorizations, with 6 = ±1. Suppose 
that L is a square free integer for which the L - torsions of the curves £m{A, B) and 
£n{C,D) give raise to elliptic extensions of Z/(to • Z),Z/(n • Z). Let these exten- 
sions be defined over the saturated ip{L)~t]i cyclotomic extensions (RmiCmjfm) 
and (R„,C„,(T„) respectively. 

If m, n are primes, then the eigenvalues of the Frobenius are /i + 1 , 7* + 1 for $m 
and /I, /I for <i>„, as one deduces from the sizes of the curves. By definition of the 
Elkies primes, they split in 0(K) and for each prime £\L we have {£) = £i • £2; one 
should check additionally that: 

(35) Am G + 1 mod 1 mod £1} , 
A„ € {/^ mod £1, /I mod £1} .. 

Then ([50]) implies that there are two integers fc, k' such that: 

n = p'' mod LO tt + S = {^i + i f mod LO. 

Remark 4. The numbers k,k' are determined by k = lyi{p) and k' = lyi{q) for 
each prime power v^\\ip{L). Using also i23\) both for m and n, it follows that 

(36) {p + if - /■ = (5 mod LO. 

Note that the fact that the ip{L)—t]i extension is saturated requires in particular, 
that for each prime v\ip{L) with saturation exponent j , the power \ip{L). 

One may consider p6p as an equation in the unknowns k, fc'. In particular, (1, 1) 
is always a possible solution, for which 6 = 1. It is possible that for certain L, 
the trivial is the only solution. We shall say that a square free integer L, which 
is product of primes £ which split in 0(K) and such that ([36)1 has only the trivial 
solution is a good L - with respect to the dual pseudoprimes to, n. This property 
has important consequences for the cyclotomy test as shown by the following 

Theorem 5. Let m, n be dual elliptic pseudoprimes associated to an order O C 
K = d] and let m = fi ■ Jl, n = {11 + !)(/!+ 1) be the respective factorizations 

in O. 

Suppose that L (z N is a square free integer for which an L—th elliptic extension 
exists both for Ijim-'L) and Z/(n-Z) and they are defined using the saturated (p{L) 
extensions (Rm,Cm,fTm) and (R„,Cn,o'„) respectively; suppose that I135\) holds for 
the eigenvalues of these extensions. If the system 136\) has only the trivial solution 
{k,k') = (1,1) and p \ m;q \ n are two dual elliptic primes, then 

(37) Ivip) = Iviq) = 1 mod v^ , for each prime v\(p{L) and N > 0. 

Proof. The statement ([57]) is a direct consequence of Remark 2] and the fact that 
the ip{L)—t]i extensions is saturated. □ 

The Theorem suggests the following procedure for eliminating the final trial 
division step in the cyclotomy test: 
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1. Start with a pair of dual elliptic pseudoprimes m, n associated to an order 
O and choose two parameters s,t with s|(n* — 1,to* — 1) for a cyclotomy 
test, as indicated by Remark [3] 

2. Search by trial and error a square free L such that t\(p(L) and an elliptic 
L— th extension of Z/ (rn • Z) and of Z/ {n ■ Z) exists. Note that the primes 
dividing L need to be Elkies primes, which depends on O and not on the 
individual values of m,n. They may but need not divide s. 

3. Suppose that additionally ([55]) holds and ([55]) has only the trivial solution. 

If such a construction succeeds together with the main stage of the cyclotomy 
test for m, n and these are not primes, then there are two (dual elliptic) primes 
p \ m; q \ n with p < y/m, q < (y/p + 1)^ and such that 

(38) p = m mod L ■ s and q = n mod L ■ s. 

This follows from (|37p together with the fact that the existence of an Ls— th cy- 
clotomic is jointly proved by the cyclotomy test and the above additional steps. In 
particular, the final trial division is herewith superfluous. 

5.2. Heuristics. We complete this section with a heuristic analysis for the odds of 
finding L which verifies the conditions of Theorem [5] We start with some simpli- 
fications and consider one prime £\L with £ > 3 and which factors in O according 
to {£) = Ci ■ £2- We let X = fi mod £1 and y = p mod Ci, with x,y £ ¥f . Re- 
stricted to L = ^, the system (|36| becomes in this notation: x'^ + 5 — {x+ l)'^ and 
y'^ + 6 = {y + I)'' . Fix a generator 5 e and consider the discrete logarithm in 
with respect to g. 

We shall assume for simplicity that x, y, x+1, y+1 also generate the multiplicative 
group F^ , so 

(39) log(a) e (Z/^ - 1 • Z)* for a e {x,y,x + l,y + 1}. 

Consider the functions /a;, /j, : Z/(^ — 1 • Z) ^ Z/(£ — 1 • Z) given by 

_ log(xfe + 6) _ logjy'^ + S) 

log(x + l) log(y + l)- 

The system (|36l) is now fx{k) — fy{k) = k' . We exclude the couple (1,1), corre- 
sponding to the trivial solution, from the graph of fx- Furthermore x ^ Oandx+1 ^ 
0, and thus x^ ^ —6 and {x + 1}'^ 7^ 6. This excludes an additional pair (a, b) from 
the graph of f^. The same holds for fy and both maps are restricted to domains 
and codomains of equal size £ — 3. 

Fact 3. Our heuristic is based on the assumption that the functions fx, fy are well 
modeled by random permutations of S1-3. In particular, modulo a redefinition of 
either domain or codomain, the maps are invertible and the system I136\) reduces to 
f~^ o fx{k) = k. According to our model, the map h^^y = fy^ o f^ is also a random 
permutation and it should have at least one fixed point. 

The number of fixed points of random permutations is well understood: it has 
expected value 1 and is Poisson distributed. Asymptotically, the individual prob- 
abilities Pk = P{h has k fixpoints) ^. Along with the expected value, we are 
interested in the probability that h has no fix points at all, which is Pq = 1/e. The 
limsupx^^ y(j^)iogiog(x) - <^ for some C > 0, []. For fixed x,y,x + l,y + I and 
a given < B < log(TO), a prime £ = 1 mod B such that I139\) holds, occurs with 
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probability P > C/(loglog(i3))'*. The heuristic model implies that with expectation 
1/e, I136\} will only have the trivial solution for such a prime. 

A further approach which can be analyzed with the same model is the following: 
choose ii,£2 like above, and let ni,n2 be the respective number of fixed points. 
The expected values are ni — n2 — 1. Suppose that [ii — 1,^2 ^ 1) = and let 
k, k' e Z/((/5(_L) • Z) be a non trivial solution of i36\} . Let ki = k mod £i — 1; k[ = 
k' mod £i — l, i — 1,2 be the exponents with respect to £i. They correspond to some 
of the Ui solutions modulo £i, and thus ki = k2 mod d: k[ = k'2 mod d. Since there 
is in average only one solution modulo each prime, this solution must verify the 
above pair of additional conditions, which are met with probability Ijd^ . Thus, if 
d > 1, the probability that 130\) has a solution for L as above is 1/d^ < 1/e and 
trying at least two primes yields a stronger filtering. 

Certainly, the condition (|39p is only necessary for a simpler heuristic argument. 
The analysis may become difficult when some oi x,y,x + l,y + l are not generators. 
The odds of finding a good L are though the same range of magnitude. For the 
purpose of finding good L, we thus propose the more general algorithm: 

Algorithm ACEf Auxiliary Cyclotomic & Elliptic Extensions ) 

Input. m,n a couple of dual elliptic pseudoprimes with respect to 
O with given factorization; t, an exponent for a CPP test. Output 
L a square-free integer with t\(p{L) and such that has only 
the trivial solution modulo L. Compute a sequence of primes £i > 

3; i — 1,2, . . .h and let Li ~ Ylj<i ^i, such that 

(i) d, = (^„(^(L,_i)) > 1. 

(ii) L — Lfi is such that t\(p{L). 

(iii) The equations (|36p have no non trivial solutions modulo L. 

Remark 5. A. We have implemented this algorithm. In most cases, the equa- 
tions had only the trivial solution for L a product of two primes. In 
more then one fourth of the cases, this happened already for one prime, and 
we encountered no case in which a product of more then three primes was 
necessary for a good L. Thus the experimental results in the general case 
are close to the heuristic predictions for the particular case in which i39\) 
holds. 

B. The condition (i) has the following purpose: in general, we reach a good Lj 
already for j < 3, however the condition t\ip{L) will not be fulfilled. Suppose 
thus that Lj is good and i36\} has at least one non trivial solution {k, k') 
for £j+i. If dj+i > 1, since Lj is good, we must have k = k' = 1 mod dj+i; 
this allows filtering. In practice, one shall choose dj to be at least divisible 
by some factors of t. 

C. Assume that B > is such that all prime power factors of t are < B and 
the number of prime factors is also < B - see 1121]) . We claim that the 
Algorithm ACE will complete in average time 0{B^^^). For the analysis, 
we use again the slower approach, in which one seeks for each prime power 
v\t a good prime £ = mod v, such that I139\} holds. By Fact\^ a good prime 
for which Ii39\) holds occurs with probability 0(1/ loglog^(-B)). Combining 
with the probability to find a prime £ = 1 mod v estimated with the Linnick 
constant, we deduce that for sufficiently large t and thus B, there is a good 
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prime £{v) < B^^'^ with i{v) = 1 mod v for each prime power v\t. It tales 
0{B^^'^) to find such a prime. Repeating this for all v\t will take at most 
0{B^^^) operations, as claimed. In practice, by 112 B — 0(loglog(m)) 
and thus the time required by the ACE Algorithm is negligeable. 

5.3. On constructing Elkies factors. We finally add some detail on the con- 
struction of the Elkies factors of £—th torsion polynomials ipe. Let m, n be dual 
elliptic pseudoprimes as above and £ be an Elkies prime. We consider the £ - torsion 
polynomial of £„(C, D), which should have x = fj, mod Ci as an eigenvalue, where 
{£) = £i ■ £2 is the splitting of £ in 0{K). If n is prime, there is an Elkies factor 
verifying: 

- Fig^iX)) = mod 
where gx is the multiplication polynomial defined in ([9]) with respect to 'ipi{X). For 
pseudoprime n, we let 

hi{X) ^ X" rem M^), 

(40) h2{X) = M9x{X)) rem M^) and 

F{X) = GGB {MX),hi{X)-h2iX)). 

If = m mod £, then the eigenvalue x is double and we may discard £ or use direct 
factorization, e.g. some variant of the Berlekamp algorithm [40], Chapter V., for 
finding an Elkies factor. 

li x^ ^ m mod £ and F{X) does not verify the defining conditions for an Elkies 
factor, then n must be composite, and the primality test would stop at this point. 
Otherwise F{X) is a factor which can be used in proving existence of an ^— th 
elliptic extension. 

6. Applications to Cyclotomy 

We now come to the application of dual elliptic pseudoprimes for the cyclotomy 
primality test. A first application of these pseudoprimes was given in [26 and it 
took advantage of the Corollary [1] and the implied fourth root order bound ((33|) 
on the difference between the smallest eventual divisors of (m,rt); this was an 
improvement on methods for finding divisors in residue classes, like |22) . [12j . 

By using elliptic extensions and Theorem [5l we are in the more pleasant situa- 
tion, that trial division may be completely eliminated in the cyclotomy tests. The 
particularity of our new algorithm consists in the inhabitual fact that, for proving 
primality of one pseudoprime, it is more efficient to do so for two pseudoprimes 
simultaneously. Only this allows, of course, to use the strong implications of duality. 

Suppose that n is a test number like before and a second strong pseudoprime 
m < n was found, such that (m, n) are dual elliptic pseudoprimes with respect to 
the order O C K = Q{\/—d). We choose some parameters s, t with s > 2n^^'^ and 
t = A(s), the Carmichael function. Then we find a good L with the algorithm ACE 
and choose a divisor s'\s such that for S — s' ■ L, the inequality 

(41) |( m rem 5 ) - ( n rem S* )| > 2n^/'* 

holds. Next one performs the main stage of the cyclotomy test for S, on both m and 
n and proves the existence of an L— th elliptic extension by verifying ((24l) . ((25|) in 
the same working extensions used for the cyclotomy test. Since t\ip(L) and equality 
is not necessary, some additional working extensions will in general be required. 
Note that in building elliptic Jacobi sums, one has also to check that the primes 
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involved are not exceptional conductors. If this happens, the respective l\L should 
be replaced by a new one, keeping the properties of L valid. 

The Theorem 3. implies that there is a prime p < y^, p\n and a dual elliptic q 
to p, which divides m. Furthermore, the algorithm ACE and (jisp imply that 

|p — (7I = |( TO rem S ) — {n rem )| > 2?i^/^, 

in contradiction with (j33p and it follows that m, n must be primes. 
We formulate the strategy described above in algorithmic form. 

Algorithm CIDEf Cyclotomy Initialized by Dual Elliptic tests ) 
Let n be a strong pseudoprime. 

1. Find a dual elliptic pseudoprime m to n, with respect to an 
order O C K = by using standard versions of ECPP. 
If none can be found ( in affordable time ), then stop or skip 
to a classical cyclotomy test for n. 

2. Choose the parameters s,t, such that (PT|) is verified and t = 

Ks) ( m)- 

3. Find a good L using algorithm ACE and let S — L ■ s' , where 
s' is the smallest factor of s such that (HD) is verified by S. 

4. Construct saturated working extensions ofZ/(TO-Z),Z/(n-Z) 
for each prime v\ip{L). Let Rm,R„ be their compositum. 

5. Perform in R™ respectively R„ the Jacobi sum tests (f20|) nec- 
essary for proving the existence of 5— th cyclotomic extensions 
of Z/(n • Z) and of Z/(to • Z). 

6. Compute the elliptic Jacobi sums related to formulae (|24|) and 
([25|) for all £\L and eventually replace £ if it is an exceptional 
conductor. 

7. Perform in R,„ respectively R„ the elliptic Jacobi sum tests 
implied by (j24p and (j25p . which are necessary for proving 
the existence of L— th elliptic extensions of Z/(n • Z) and of 
Z/(m • Z). 

8. Declare m and n prime if all the above tests are passed suc- 
cessfully. 

6.1. Run Time. We split the computations for a CIDE - test for a probable prime 
n G N in three main stages: 

I. Find a dual elliptic pseudoprime to to n. 
II. Perform cyclotomy tests for to, n. 

III. Find an L with the ACE algorithm and prove the existence of an L—th 
elliptic extension for m and n. 

If the Jacobi sums for the Step II. are computed in essentially linear time, e.g. by 
using the algorithm of Ajtai et. al. [3], then Step II. reduces to the main stage 
of the cyclotomy test. This stage is polynomial and takes 0(log'^(n)) binary steps 
pS] . As mentioned above, heuristic arguments suggest that Step I. also takes cubic 
time [Sg, [17]- 

We analyze the run time for the Step III using the heuristics in Fact [3l Let the 
bound B be defined by ([21]) : the factors of L will he £ < and their number is 
< B. For each factor, one has to perform some elliptic Jacobi sum tests, at most 
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log(i3); the degree of the extensions where the tests are performed is also < B^. 
Altogether, using B = 0(loglog(n)), this implies that Step III is performed in 

O (log2+^(n) X B^+') ^ O {\og^+%n)) 

binary operations. The Step III. is thus dominated by steps I and II. Hence, the 
run time of the algorithm CIDE is: 

O {\og{nf+') . 

Remark 6. Using the certification algorithm described in [28], one can also provide 
primality certificates which can be verified in quadratic time. Note that this time 
is unconditional and can be achieved also if no certified Jacobi sum tables are 
available. 

7. Conclusions 

Since the summer of 2002, the theoretical problem of primality proving is solved: 
Primes is in P, as Agrawal, Kayal and Saxena laconically put it the title of their 
magnificent paper [2] . Apart from the thus closed search for a polynomial time de- 
terministic algorithm, there is an alternative question concerning primality proving. 
Namely: "How large general numbers can currently be proved on a computer"? 

It is a general fact that provable algorithms are different from their practical 
versions, which, if they exist, may lose some or many of the theoretical advantages, 
but work conveniently in practice. Thus, the algorithm of Goldwasser and Kilian 
[181 119] has been proved to terminate in random polynomial time for all but an 
exponentially thin set of inputs; it has hardly ever been implemented, for complexity 
reasons mentioned in the introduction. In exchange, the ideas of Atkin [4J led to 
the current wide spread version of ECPP [32| . which works very well in practice. 
As already mentioned, the choice of the fields of complex multiplication is in this 
version such that no proof of polynomial time termination is known; however, the 
algorithm works very stably in practice and heuristic argument brought in |17j 
explain this fact. 

The situation is even more bizarre with the cyclotomy test: from the complexity 
theoretical point of view, it should even not be taken into consideration, since 
it is over-polynomial. For the range of primes which are currently affordable for 
computer proofs, it works very efficiently. A fortiori, the combination of cyclotomy 
and elliptic curves provided by CIDE has good reasons to be the medium term 
provider of largest primality proofs and the generation of certificates which can be 
verified in quadratic time, as observed in Remark [SI is also an appealing novelty. 
Furthermore, the algorithm has random cubic run-time, based on the heuristics of 
[17] and the ones in Fact [3] 

Finally, the test of Agrawal, Kayal and Saxena has, for computer implementation, 
a serious space problem. Even the nice idea of Berrizbeitia [7] , [B] [5] which brings 
an important run - time improvemenlQ, does not remove this problem. It is not 
likely that primes larger then 500 decimal digits, say, will be proved in the near 
future with any variation of the AKS algorithm, unless new ideas are found, for 
solving the space problem. 

In conclusion, it is a mathematically appealing and relevant goal, to seek for an 
efficient variant of AKS, while on the side of CPP, the construction of Jacobi sums 
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remains a small problem, which is interesting per se. The algorithm of Ajtai, Kumar 
and Sivakumar yields however a random polynomial solution which is satisfactorily 
in theory, while the LLL and PARI approaches may solve the practical problem for 
conceivable applications during the next years or even decades. 
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